• Skip to main content
  • Skip to header right navigation
  • Skip to site footer

Roger Perkin

Learn Network Automation

  • Network Automation
    • Ansible
    • Python
    • Terraform
    • pyATS
    • Git
    • Postman
  • ISE
  • Cisco
    • SD WAN Training
    • Password Recovery
    • Software-Upgrade-Guides
    • BGP
    • Data Center
    • WIRELESS
  • Blog
    • CCIE Blog
  • COURSES

Ansible Vault Tutorial

If you have been using Ansible for a while you will have wondered if there is a way to encrypt password information?

There is it’s called Ansible Vault.

ansible vault tutorial bank vault image

In this Ansible Vault tutorial I will show you how to keep all your password and sensitive data in encrypted files within Ansible.

For information this tutorial is being performed within Ubuntu 18.04 Desktop.

What is Ansible Vault?

Page Contents

  • What is Ansible Vault?
  • How do I use Ansible Vault?
    • ansible-vault create
  • ansible-vault encrypt
    • Prompt for the password during the playbook run
    • Using Ansible Vault with a Password File
    • Specify the location of a password file in ansible.cfg
    • Decrypting Encrypted Files
    • Changing the Password of Encrypted Files
  • Frequently Asked Questions
    • How do you secure secrets in Ansible?
    • What is Ansible Vault?
    • Where is the Ansible Vault file?

Ansible Vault is a brilliant feature within Ansible that enables to you keep all your passwords and sensitive data in encrypted files as opposed to having it in plain text within playbooks or in vars. You either point Ansible Vault to the location of a password file or you can get Ansible to prompt for the password each time you run a playbook.

ansible network automation course

How do I use Ansible Vault?

There are a few steps to setting up an Ansible vault.

  1. Create vault file using ansible-vault encrypt
  2. Specify vault password
  3. View encrypted file using ansible-vault view

Lets’s step through these steps in more detail.

ansible-vault create

First we are going to need a file that we are going to encrypt. This can either be a new file created in the vault process or we can encrypt a file that already exists. Let’s look at a new file first.

Enter the command ansible-vault create <filename>.yml

ansible-vault create

In this example I created a file called test-vault.yml

I entered some data in the file and saved it.

Now if we look at the file

cat test.yml

ansible vault encrypted file

You can see that the contents are encrypted

If we want to view that file we just enter the command:
ansible-vault view test-vault.yml

You will be prompted for a password and then you can see the contents of the file.

ansible vault view

What if you wanted to encrypt a file that already exists? Simple.

ansible-vault encrypt

So you already have all your passwords and sensitive information in a file – in my case it is in ./group_vars/all.yml

This is the file

ansible_user: "roger"
ansible_ssh_pass"cisco"
ansible_network_os: "ios"

I am going to encrypt it and then run a playbook that needs that password information and see what happens.

First we will encrypt the file with the ansible-vault encrypt ./group_vars/all.yml command

ansible-vault encrypt ./group_vars/all.yml

You are prompted for a password and the file is encrypted.

To verify if we view the file we just see the encrypted data

ansible-vault encrypt

Now I have a playbook called backup.yml which will need to access the data in /group_vars/all.yml

So let’s see what happens when we run the playbook?

We get an error: Attempting to decrypt but no vault secrets found

attempting to decrypt but no vault secrets found ansible

The reason for this is the all.yml file is now encrypted and you need a password to access the data, however we did not tell Ansible how to get the password.

You can do this in a few ways

  • Prompt for the password during the playbook run
  • Specify the location to a password file during the playbook run
  • Specify the location to the password in ansible.cfg

Let’s look at all 3 options

Prompt for the password during the playbook run

Just add this to the end of your playbook run command e.g

ansible-playbook backup.yml – ask-vault-pass 

To the end of the playbook command and you will be prompted to enter a password on playbook run.

Using Ansible Vault with a Password File

You can also have another file which contains your password. This file does need to be secured either by on machine permissions and also kept out of your Git repository.

You then specify where this file is with this command

ansible-playbook backup.yml – vault-password-file vault-pass.txt

The contents of vault-pass.txt just needs to contain your password.

Specify the location of a password file in ansible.cfg

You can also specify the location of this file in the ansible.cfg file

vault_password_file = vault-pass.txt

Decrypting Encrypted Files

If you no longer want your file to be encrypted you can easily decrypt it using the folling code

ansible-vault decrypt <filename> 

You will be prompted for the password you originally used to encrypt the file and it will then be unencrypted.

Changing the Password of Encrypted Files

If you want to change the password of your encrypted file you can use the command

ansible-vault rekey <filename> 

You will be prompted for your original password and then your new password.

Note: you can also perform the encrypt, decrypt or rekey operation on multiple files at the same time.

Ansible is just one tool in the world of Network Automation, so I hope this tutorial has been helpful and please check out some other relevant posts below.

Other Ansible related posts:

  • What is Ansible and how it works?
  • Ansible Hosts File
  • Ansible Network Automation Course
  • Ansible for Network Engineers

Ansible Documentation – https://docs.ansible.com/ansible/latest/user_guide/vault.html

Frequently Asked Questions

How do you secure secrets in Ansible?

Ansible Vault allows you to secure your secrets i.e passwords, API keys and sensitive information by encrypting them. Then to access the secrets you either have to provide the encryption password when running the playbook or store it in a secure place that the playbook can reference.

What is Ansible Vault?

Ansible Vault is a feature within Ansible that allows you to encrypt passwords and sensitive data rather than storing it all in plain text within a playbook or vars files. The encrypted data can be retrieved by supplying the password during a playbook run

Where is the Ansible Vault file?

Your vault file can be anywhere you want it to be, you simply encrypt the file you want to secure by using the command ansible-vault encrypt and then supply a password.

Category: Ansible for Network Engineers
Previous Post: « How to Learn Network Automation
Next Post: Ansible Training for Network Engineers ansibe network automation course »

Reader Interactions

Comments

  1. Kundan

    June 8, 2020 at 6:43 pm

    Hi Roger,

    Thanks for posting important vedio .
    I have a confusion if I want to use password as a variable and keep it in encrypted fro and declear in a task can I do that . Need your guidance for that and if yo

    Reply
    • Roger Perkin

      June 10, 2020 at 3:50 pm

      I don’t exactly understand your question.

      Are you saying you want to use a password directly in your playbook?

      The idea with Vault is all your passwords are kept in group_vars or host_vars and then you encrypt the entire file.

      If you want to put the password in your playbook there is no way to hide / encrypt that?

      Let me know?

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Let’s get started

Take a look at my premium courses on Ansible, Nornir & Git or buy them all with the Network Automation Bundle!

Network Automation Courses

Social

Follow along on social media

Contact

Get in touch with me here

[email protected]

Navigation

Home

Blog

About

Contact

YouTube

Don’t forget to take a look at my YouTube Channel

youtube button

Copyright © 2021 · Roger Perkin · All Rights Reserved · Powered by Mai Theme